by Jason Zandri
Welcome to the fourth installment of Learn Active Directory Design and Administration in 15 Minutes a Week, a weekly series aimed
at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft. This week the topic is Active
Directory Domains, Organizational Units and the Global Catalog.
Jason Zandri’s latest article in the Learn Active Directory Design and Administration in 15 Minutes a Week continues the topic of Active Directory Logical Architecture and specifically covers Domains, Organizational Units, and the Global Catalog.
Active Directory Logical Architecture
As you make preparations for the installation of your first
Windows 2000 Domain Controller into your environment, whether that be a pristine
forest or into an existing domain, you need to have a solid understanding of all
of the different parts that make up the Windows 2000 Active
Windows 2000 Domains are the core unit of the logical
structure in Active Directory, and the structure of the domain can be such that
it is made up of one or more domains. Windows 2000 domains can span more than
one physical location as well.
All network objects exist within a domain, and each domain
stores information only about the objects it contains.
By definition, a
Windows 2000 domain is an administrator-defined logical grouping of computer
systems, servers and other hardware which share a common directory database.
Windows 2000 domains must have a unique name within the Active Directory
Windows 2000 domains provide access to domain user accounts,
domain security group accounts and domain distribution group accounts maintained
by the domain administrator, or other system administrators, as appointed by the
domain or enterprise administrators through delegation of authority.
A domain is also a security boundary.
Objects in the
Active Directory have a Security Descriptor that stores information about the
objects owner and the groups to which the owner belongs.
discretionary access control list (DACL) of the object lists the security
principals (users, groups, and computers) that have access to the object and
their level of access.
The system access control list (SACL) lists the
security principals that should trigger (if any) audit events when accessing the
The discretionary access control list for an object specifies the
list of users and groups that are authorized to access the object and also what
levels of access they have. The kinds of access that can be assigned to an
object (or denied) depend on the object type. (You cannot assign the manage
documents access right to a file server as this right is assigned to printers
The discretionary access control list for an object consists of a
list of access control entries (ACEs) which can apply to a class of objects, an
object, or an attribute of an object. Each access control entry specifies the
security identifier (SID) of the security principal to which the ACE applies, as
well as the level of access to the object permitted for the security principal.
[NOTES FROM THE FIELD] – In plain English this
means your user account (SID) can access a specific file on a file server or
print to a printer (object), because the permissions that are set for the
object (the access control entries – ACEs – in the discretionary access control
list for the object) allow you the right to read the file or print to the
In Windows 2000 domains, objects include files, folders,
shares, printers, and other Active Directory objects. All security policies and
settings do not cross from one domain to another, and the domain administrator
has absolute rights to set permissions and policies only within that specific
domain (unless they are specifically granted administrative control in other
domains or are also members of the Enterprise Administrators group).
[NOTES FROM THE FIELD] – Much of this information
is an Exam Requirement for both the 70-217 AND the 70-219 exams.
Some would argue it is more so for the 217 and I would agree, but if you do not
have the underpinnings from the Administration pieces of 70-217, you’ll be hard
pressed to pull off the Design requirements for 70-219
Domains are also units of replication. Domain controllers
for the domain contain a replica of Active Directory and can receive changes to
information in Active Directory and replicate these changes to all of the other
domain controllers in the domain.